Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security

Enable php open_basedir Protection

Enable mod_userdir Protection

Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users

Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password

Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.

Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

Now restart SSH

At command prompt type: /etc/rc.d/init.d/sshd restart

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

Disable Telnet

To disable telnet, SSH into server and login as root.

At command prompt type: pico -w /etc/xinetd.d/telnet

change disable = no to disable = yes

Save and Exit

At command prompt type: /etc/init.d/xinetd restart

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

Now everytime someone logs in as root, they will see this message... go ahead a try it.

Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

After BFD has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts:

Find

ALERT_USR="0"

and change it to

ALERT_USR="1"

Find

EMAIL_USR="root"

and change it to

EMAIL_USR="your@email.com"

Save the changes then exit.

To start BFD

At command prompt type: /usr/local/sbin/bfd -s

Modify LogWatch

Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

Also, this has been hashed and rehashed millions of times. One just needs to do a search. It must be much nicer if you wrote about things that havent been repeated about a million times.

Click to expand...

Yep, it has been rehashed millions of times. I just did it again with everything in one place. The reason why is because back when I was learning how to do it, I had to search all over the place to find it. Now months later I see that new comers are still having to do the same thing.

Well, the other is guy is right... ::fail:: is preferable than blackhole. The reasons...
Blackhole accepts everything sent to it and throws away the email not going to an actual account. This uses the full amount of bandwidth, and also requires that the server be reading and writing messages to disk before they are deleted... multiply this by 1,000 messages a day or so, (i've got a domain that gets way more than that - especially when the latest fast spreading virus comes out) and you can have a fair amount of load just processing junk messages.
Fail stops invalid recipients from entering the mailserver inthe first place... exim will reject the message during the smtp conversation, and for invalid recipients - it should reject during the header phase, saving you the bandwidth of the data... not insignificant when you're getting 130 kb or so in a binary attachment virus thousands of times per day (Remember the virus that sent itself out looking like window update emails from microsoft?). The sending mailserver then has to deal with the unwanted email. Rejecting messages means your server doesn't have to deal with them. It's also nice for people accidentally mistyping an address to get an error back, instead of it just disappearing so they think it went through.

My server can do many hundreds of thousands more ::fails:: than it can do ::blackholes::.

Yes... simply opening a new ssh window and logging in for a new session will let you test your settings when you monkey with anything having to do with ssh. If it won't let you login, you can still use your open window to edit the config files and try again. However, it won't help you if you've managed to block access to SSH with a firewall, or totally kill ssh (like up2date did to me once). Then it's really nice to have webmin (www.webmin.com), or some other alternate way of getting in to your server to edit config files or get a command prompt.

Yes, mr.wonderful's reply is true. Fail is better than blackhole for the reasons explained by dezignguy. I was using blackhole for a while until one day I saw a post by chirpy explaining what each does. I then switched to fail and noticed a difference, plus the advantage of people who mistype being notified.

For those of you wanting to disallow access to WHM / cPanel via the insecure ports (2082 & 2086), all you need is exclude these ports from the IG_TCP_CPORTS environment variable; access to either one of these ports will then time out.